Automatic detection of an incomplete static analysis security assessment

ABSTRACT

Embodiments include method, systems and computer program products for automatic detection of an incomplete static analysis security assessment. In some embodiments, a method includes obtaining component versioning data associated with a build of an application. The method further includes determining, using the component versioning data associated with the build of the application, that a static analysis security assessment configuration of the application is incomplete. The method further includes, responsive to determining that the static analysis security assessment configuration of the application is incomplete, generating metadata indicating that at least a portion of the build of the application has been changed from a previous build of the application.

BACKGROUND

The present disclosure relates to data processing, and morespecifically, to methods, systems and computer program products forautomatic detection of an incomplete static analysis securityassessment.

Static analysis testing, also known as static program analysis, is acommon practice in software development that enables development teamsto determine if their products have security flaws. Static analysistesting can be performed without executing programs. The analysis can beperformed on some version of the source code, and/or some form of theobject code. Some static analysis tools tests web applications forsecurity vulnerabilities during the developmental process.

SUMMARY

In accordance with embodiments described herein, systems, methods, andcomputer program products for automatic detection of an incompletestatic analysis security assessment are provided. An example methodincludes obtaining component versioning data associated with a build ofan application. The method further includes determining, using thecomponent versioning data associated with the build of the application,that a static analysis security assessment configuration of theapplication is incomplete. The method further includes, responsive todetermining that the static analysis security assessment configurationof the application is incomplete, generating metadata indicating that atleast a portion of the build of the application has been changed from aprevious build of the application.

BRIEF DESCRIPTION OF THE DRAWINGS

The forgoing and other features, and advantages of the disclosure areapparent from the following detailed description taken in conjunctionwith the accompanying drawings in which:

FIG. 1 depicts a block diagram illustrating one example of a processingsystem for practice of the teachings herein;

FIG. 2 depicts a block diagram illustrating a computing system inaccordance with an exemplary embodiment;

FIG. 3 depicts a flow diagram of a method for automatic detection of anincomplete static analysis security assessment in accordance with anexemplary embodiment;

FIG. 4 depicts a cloud computing environment in accordance with anexemplary embodiment; and

FIG. 5 depicts abstraction model layers in accordance with an exemplaryembodiment.

DETAILED DESCRIPTION

In accordance with exemplary embodiments of the disclosure, methods,systems and computer program products for automatic detection of anincomplete static analysis security assessment are provided. The methodsand systems described herein utilize information provided by continuousintegration tools to automatically mark static analysis assessmentsincomplete or misconfigured. The continuous integration tools transmitcomponent version data to a static analysis security assessment tool,which uses the component version data to determine whether changes inthe source code or object code indicate that the static analysissecurity assessment configuration is incomplete or misconfigured.

Continuous integration refers to merging the work product of developmentindividuals and/or teams working on different components of anapplication into a shared code repository. For example, a source controlserver manages each merger or commitment of work product or code andstores the work product in a source code repository. Depending on thedevelopment environment, a continuous integration server initiates a newbuild version of an application and/or the application's componentsbased on each merger or commitment of work product. Each new buildversion and corresponding installer is stored in a repository, such as abuild product repository. The continuous integration server generatesmetadata for how to deploy applications and what components to include.This metadata can be used to check scan coverage of an application anddetect any vulnerability in scan configurations for applications.

In some examples, a static analysis server receives a notification fromthe continuous integration server that a new build version wasgenerated. The static analysis server accesses the build productrepository to perform static analysis testing on the new build version.Static analysis testing tools identify flaws or vulnerabilities inapplications during the development cycle, when developers can addressand fix issues without affecting consumers or users. Static analysistesting tools identify scan configurations of a new build version of anapplication as incomplete for different reasons. Examples of suchreasons may include, but are not limited to, portions or components ofan application not being scanned (e.g., third-party libraries beingomitted), scanning configuration or parameters are inaccurate and leadto misleading results, or rules used for the scan are incomplete.

Traditionally, a manual process is used to determine whether a staticanalysis security assessment configuration is complete or accurate. Insuch cases, a person reviews the data scanned by the static analysistool and checks whether the functionality of the application wasconsidered and tested. The present disclosure describes automatedtechniques to determine whether a static analysis security assessmentconfiguration is complete and accurate.

The techniques described herein use information provided by continuousintegration servers to automatically mark static analysis securityassessment configurations as incomplete or misconfigured. By identifyingstatic analysis security assessment configurations associated with anapplication as incomplete or misconfigured, a new scan can be initiatedusing an updated static analysis security assessment configuration toensure that the latest build of an application has been properlyscanned.

In some embodiments, the static analysis tool communicates with a sourcecontrol server. The source control server automatically notifies thestatic analysis tool of certain changes made to the source code of anapplication. In some cases, the notification indicates that the existingscan configuration is out of date based on the changes made to thesource code. For example, if new folders are added that are not includedin existing static analysis configurations or third-party components areupdated, a new scan may be necessitated.

FIG. 1 further depicts an input/output (I/O) adapter 107 and acommunications adapter 106 coupled to the system bus 113. I/O adapter107 may be a small computer system interface (SCSI) adapter thatcommunicates with a hard disk 103 and/or tape storage drive 105 or anyother similar component. I/O adapter 107, hard disk 103, and tapestorage device 105 are referred collectively to herein as mass storage104. Operating system 120 for execution on the processing system 100 maybe stored in mass storage 104. A communications adapter 106interconnects bus 113 with an outside network 116 enabling dataprocessing system 100 to communicate with other such systems. A screen(e.g., a display monitor) 115 is connected to system bus 113 by displayadapter 112, which may include a graphics adapter to improve theperformance of graphics intensive applications and a video controller.In one embodiment, adapters 107, 106, and 112 are connected to one ormore I/O busses that are connected to system bus 113 via an intermediatebus bridge (not shown). Suitable I/O buses for connecting peripheraldevices such as hard disk controllers, network adapters, and graphicsadapters typically include common protocols, such as the PeripheralComponent Interconnect (PCI). Additional input/output devices are shownas connected to system bus 113 via user interface adapter 108 anddisplay adapter 112. A keyboard 109, mouse 110, and speaker 111 allinterconnect to bus 113 via user interface adapter 108, which mayinclude, for example, a Super I/O chip integrating multiple deviceadapters into a single integrated circuit.

In exemplary embodiments, the processing system 100 includes agraphics-processing unit 130. Graphics processing unit 130 is aspecialized electronic circuit designed to manipulate and alter memoryto accelerate the creation of images in a frame buffer intended foroutput to a display. In general, graphics-processing unit 130 is veryefficient at manipulating computer graphics and image processing, andhas a highly parallel structure that makes it more effective thangeneral-purpose CPUs for algorithms where processing of large blocks ofdata is done in parallel.

Thus, as configured in FIG. 1, the system 100 includes processingcapability in the form of processors 101, storage capability includingsystem memory 114 and mass storage 104, input means such as keyboard 109and mouse 110, and output capability including speaker 111 and display115. In one embodiment, a portion of system memory 114 and mass storage104 collectively store an operating system such as the AIX® operatingsystem from IBM Corporation to coordinate the functions of the variouscomponents shown in FIG. 1.

FIG. 2 depicts a computing system 200 in accordance with aspects of thepresent disclosure. In the example illustrated, the computing system 200includes user devices 204A, 204B, 204C (collectively referred to as userdevices 204), a source control server 208, a source code repository 210,a continuous integration server 212, a build product repository 214, astatic analysis server 216, and a component versioning list comparisonengine 218 connected via one or more networks 206.

Although depicted as a client-server architecture, in some embodiments,the methods and systems described herein may be implemented using acloud service architecture. In such implementations, the user device204, source control server 208, source code repository 210, continuousintegration server 212, build product repository 214, and/or staticanalysis server 216 communicate with functionality provided in a cloudcomputing environment, such as the cloud computing environment 50 ofFIG. 4. Using a cloud computing environment may be useful in situationsin which multiple developers or teams of developers work on differentcomponents of an application and merge their work product into a sharedcode repository. For example, the shared code repository may be storedin a cloud computing environment and may be accessed and updated by thevarious developers or teams of developers working on the application.

The user device 204 executes applications and tools used to develop oneor more applications. For example, an application developer uses theuser device 204 to write code for a software application. The userdevice 204 can be any suitable type of computing device, such as acomputer, laptop, tablet, smartphone, wearable computing device, server,etc. The user device 204 is capable of communicating with other devices,such as via the networks 206.

The network(s) 206 represents any one or a combination of differenttypes of suitable communications networks such as, for example, cablenetworks, public networks (e.g., the Internet), private networks,wireless networks, cellular networks, or any other suitable privateand/or public networks. Further, the network(s) 206 may have anysuitable communication range associated therewith and may include, forexample, global networks (e.g., the Internet), metropolitan areanetworks (MANs), wide area networks (WANs), local area networks (LANs),or personal area networks (PANs). In addition, the network(s) 206 caninclude any type of medium over which network traffic may be carriedincluding, but not limited to, coaxial cable, twisted-pair wire, opticalfiber, a hybrid fiber coaxial (HFC) medium, microwave terrestrialtransceivers, radio frequency communication mediums, satellitecommunication mediums, or any combination thereof.

In some embodiments, the source control server 208 can be any type ofcomputing device with network access, such as a computer, laptop,server, tablet, smartphone, wearable computing devices, or the like. Thesource control server 208 creates a component versioning list fortracking changes in computer files and facilitating collaborative workamong teams of developers. The source control server 208 managesdocuments, websites, and/or other collections of information. In someembodiments, the source control server 208 is associated with a sourcecode repository 210. The source code repository stores metadata for aset of files and/or directory structure. Depending on whether theversion control system utilized by the source control server 208 isdistributed (e.g., in the cloud computing environment 50 of FIG. 4) orcentralized, the whole set of information in the source code repository210 can be duplicated on each user's system or can be maintained on asingle server or data store. Examples of the metadata that the sourcecode repository 210 include are a historical record of changes in therepository, a set of commit objects, and/or a set of references tocommit objects, called heads.

In some embodiments, the source control server 208 is associated withand/or communicates with a continuous integration server 212. Thecontinuous integration server 212 can be any type of computing devicewith network access, such as a computer, laptop, server, tablet,smartphone, wearable computing devices, or the like. The continuousintegration server 212 receives an indication or notification from thesource control server 208 when changes have been made to documents orfiles associated with the development of an application. The continuousintegration server 212 initiates builds of the application usinginformation committed to the source code repository 210. In someembodiments, the continuous integration server 212 schedules builds,initiates builds when other builds have completed, and/or initiates abuild by requesting a specific URL. Builds generated by the continuousintegration server 212 are stored and/or transmitted to a build productrepository 214. The build product repository is accessible by thecontinuous integration server 212 and/or static analysis server 216.

In some embodiments, the continuous integration server 212 is associatedwith and/or communicates with the static analysis server 216. The staticanalysis server 216 can be any type of computing device with networkaccess, such as a computer, laptop, server, tablet, smartphone, wearablecomputing devices, or the like. In the embodiment of FIG. 2, the staticanalysis server 216 includes a data management engine 218, a staticanalysis engine 220, and a source code copy repository 222.

The data management engine 218 includes computer-readable instructionsthat, in response to execution by the processor(s) 101, cause operationsto be performed. Such operations can include tracking data of associatedcomputing devices, such as continuous integration servers 212, sourcecontrol servers 208, source code repositories 210, build productrepositories 214, and the like. The data management engine 218 receivesnotifications and/or messages from one or more of the entities in thesystem 200. The data management engine 218 processes the receivednotifications and/or messages and transmits the data to the staticanalysis engine 220.

According to embodiments described herein, the static analysis engine220 includes computer-readable instructions that, in response toexecution by the processor(s) 101, cause operations to be performed.Such operations can include receiving data from the data managementengine 218. The static analysis engine 220 generates and maintainsstatic analysis security assessment configurations and static analysissecurity assessments associated with application builds generated by thecontinuous integrations server 212. The static analysis engine 220receives data from the continuation integration server 212 that is usedto mark a static analysis security assessment configuration associatedwith an application as incomplete. Marking the configuration incompleteenables an administrator of the system to update the configuration withappropriate parameters to ensure an accurate static analysis securityassessment.

In some embodiments, the static analysis engine 220 receives anotification or message from the component versioning list comparisonengine 218 indicating specific changes have been made to the source codeof an identified application (e.g., libraries have been added, foldershave been newly created, etc.). The component versioning list comparisonengine 218 compares the source code stored in the source code repository210 with the source code stored in the source code copy repositoryengine 222.

The static analysis engine 220 use the data from the notification ormessage from the component versioning list comparison engine 218 to markthe configuration as incomplete. In some embodiments, the staticanalysis engine 220 generates a notification to a user of the system toupdate or modify the configuration accordingly. In some embodiments, thestatic analysis engine 220 updates or modifies the static analysissecurity assessment configuration using data generated by the sourcecontrol server 208 (e.g., via source code repository 210) and/or thecontinuous integration server 212 (e.g., via build product repository214). In some embodiments, the static analysis engine 220 initiates anew static analysis security assessment using the updated or modifiedconfiguration associated with the application.

Now referring to FIG. 3, a flow diagram of a method 300 for automaticdetection of an incomplete static analysis security assessment inaccordance with an exemplary embodiment is depicted. At block 305, anotification is received from a continuous integration server 212. Insome embodiments, the data management engine 218 of the static analysisserver 216 receives a notification and/or message from the continuousintegration server 212. In some embodiments, the continuous integrationserver 212 requests a specific URL to notify the static analysis server216 that a new build is available based on a comparison of the sourcecode stored in the source code repository 210 with the source codestored in the source code copy repository engine 222. In someembodiments, the new build may be available in a build productrepository 214.

At block 310, build data associated with an application is obtained. Insome embodiments, the data management engine 218 is determined based onthe notification and/or message from the component versioning listcomparison engine 218, that a new build of an identified application isavailable. In some embodiments, the notification and/or message mayinclude data associated with the new build of the application. In someembodiments, the data indicates that the application (e.g., new build ofthe application) includes a new version of a component of theapplication. In some embodiments, the message and/or notificationincludes data associated with the new build of the application, such asuser device 204 associated with a latest update that initiated the newbuild, new build identifier, timestamp associated with new build, or thelike.

In some embodiments, the data management engine 218 transmits data fromthe notification and/or message received from the component versioninglist comparison engine 218 to the static analysis engine 220. The staticanalysis engine 220 establishes a connection with the build productrepository 214 and obtains data associated with the new build of theapplication. In some embodiments, the static analysis engine 220 obtainsdata associated with the new build of the application, generated by thecontinuous integration server 212 (e.g., metadata associated with thenew build). In some embodiments, the static analysis engine 220 usesinformation from the notification (e.g., new build identificationnumber, timestamp associated with new build, user or user device 204associated with the new build, or the like).

At block 315, the build data is compared with previously stored staticanalysis security assessments configurations. In some embodiments, thestatic analysis engine 220 analyzes the data obtained from thenotification from the continuous integration server 212 or obtained fromthe build product repository 214. The static analysis engine 220 maycompare components or versions of components of the application in thenew build or installer to a static analysis security assessmentconfiguration associated with the application.

At block 320, it is determined whether the static analysis securityassessment configuration is incomplete. If the static analysis engine220 determines that the static analysis security assessmentconfiguration is complete (e.g., not incomplete), the method terminates.

If, however, the static analysis engine 220 determines that the staticanalysis security assessment configuration is incomplete, the methodproceeds to block 325, where the static analysis engine 220 marks thestatic analysis security assessment configuration as incomplete. In someembodiments, the static analysis engine 220 generates metadataindicating that the static analysis security assessment configuration isincomplete and associates the metadata with the static analysis securityassessment configuration.

In some embodiments, the static analysis engine 220 generates andmaintains an application portfolio that includes data associated withmultiple applications, such as the applications that are developed by acompany. The static analysis engine 220 updates the applicationportfolio to indicate that the static analysis security assessmentconfiguration for the application is incomplete. In some embodiments,the static analysis engine 220 uses the metadata associated with theapplication to update the application portfolio.

In some embodiments, the method proceeds to optional block 330. Thestatic analysis engine 220 updates the static analysis securityassessment configuration associated with the application. In someembodiments, the static analysis engine 220 updates the configurationusing data from the notification from the continuous integration server212 or the obtained data associated with a new build of the application(e.g., obtained from the build product repository 214).

In some embodiments, the static analysis engine 220 initiates a newstatic analysis security assessment associated with the applicationusing the data associated with the new build of the application and theupdated static analysis security assessment configuration.

In some embodiments, the data management engine 218 receives informationfrom a source control server 208. The information can indicate that achange was made to files associated with the application. Theinformation can further indicate that the change affects an existingstatic analysis security assessment configuration associated with theapplication. The data management engine 218 transmits the data to thestatic analysis engine 220. The static analysis engine 220 initiates,facilitates, or generates an updated static analysis security assessmentconfiguration for the application using the data received from thesource control server 208. In some embodiments, the static analysisengine 220 initiates a new static analysis security assessment using theupdated scan configuration associated with the application.

It is understood that although this disclosure includes a detaileddescription on cloud computing, implementation of the teachings recitedherein are not limited to a cloud computing environment. Rather,embodiments of the present invention are capable of being implemented inconjunction with any other type of computing environment now known orlater developed.

Cloud computing is a model of service delivery for enabling convenient,on-demand network access to a shared pool of configurable computingresources (e.g. networks, network bandwidth, servers, processing,memory, storage, applications, virtual machines, and services) that canbe rapidly provisioned and released with minimal management effort orinteraction with a provider of the service. This cloud model may includeat least five characteristics, at least three service models, and atleast four deployment models.

Characteristics are as follows:

On-demand self-service: a cloud consumer can unilaterally provisioncomputing capabilities, such as server time and network storage, asneeded automatically without requiring human interaction with theservice's provider.

Broad network access: capabilities are available over a network andaccessed through standard mechanisms that promote use by heterogeneousthin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: the provider's computing resources are pooled to servemultiple consumers using a multi-tenant model, with different physicaland virtual resources dynamically assigned and reassigned according todemand. There is a sense of location independence in that the consumergenerally has no control or knowledge over the exact location of theprovided resources but may be able to specify location at a higher levelof abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities can be rapidly and elasticallyprovisioned, in some cases automatically, to quickly scale out andrapidly released to quickly scale in. To the consumer, the capabilitiesavailable for provisioning often appear to be unlimited and can bepurchased in any quantity at any time.

Measured service: cloud systems automatically control and optimizeresource use by leveraging a metering capability at some level ofabstraction appropriate to the type of service (e.g., storage,processing, bandwidth, and active user accounts). Resource usage can bemonitored, controlled, and reported providing transparency for both theprovider and consumer of the utilized service.

Service Models are as follows:

Software as a Service (SaaS): the capability provided to the consumer isto use the provider's applications running on a cloud infrastructure.The applications are accessible from various client devices through athin client interface such as a web browser (e.g., web-based e-mail).The consumer does not manage or control the underlying cloudinfrastructure including network, servers, operating systems, storage,or even individual application capabilities, with the possible exceptionof limited user-specific application configuration settings.

Platform as a Service (PaaS): the capability provided to the consumer isto deploy onto the cloud infrastructure consumer-created or acquiredapplications created using programming languages and tools supported bythe provider. The consumer does not manage or control the underlyingcloud infrastructure including networks, servers, operating systems, orstorage, but has control over the deployed applications and possiblyapplication hosting environment configurations.

Infrastructure as a Service (IaaS): the capability provided to theconsumer is to provision processing, storage, networks, and otherfundamental computing resources where the consumer is able to deploy andrun arbitrary software, which can include operating systems andapplications. The consumer does not manage or control the underlyingcloud infrastructure but has control over operating systems, storage,deployed applications, and possibly limited control of select networkingcomponents (e.g., host firewalls).

Deployment Models are as follows:

Private cloud: the cloud infrastructure is operated solely for anorganization. It may be managed by the organization or a third party andmay exist on-premises or off-premises.

Community cloud: the cloud infrastructure is shared by severalorganizations and supports a specific community that has shared concerns(e.g., mission, security requirements, policy, and complianceconsiderations). It may be managed by the organizations or a third partyand may exist on-premises or off-premises.

Public cloud: the cloud infrastructure is made available to the generalpublic or a large industry group and is owned by an organization sellingcloud services.

Hybrid cloud: the cloud infrastructure is a composition of two or moreclouds (private, community, or public) that remain unique entities butare bound together by standardized or proprietary technology thatenables data and application portability (e.g., cloud bursting forload-balancing between clouds).

A cloud computing environment is service oriented with a focus onstatelessness, low coupling, modularity, and semantic interoperability.At the heart of cloud computing is an infrastructure comprising anetwork of interconnected nodes.

Referring now to FIG. 4, illustrative cloud computing environment 50 isdepicted. As shown, cloud computing environment 50 comprises one or morecloud computing nodes 10 with which local computing devices used bycloud consumers, such as, for example, personal digital assistant (PDA)or cellular telephone 54A, desktop computer 54B, laptop computer 54C,and/or automobile computer system 54N may communicate. Nodes 10 maycommunicate with one another. They may be grouped (not shown) physicallyor virtually, in one or more networks, such as Private, Community,Public, or Hybrid clouds as described hereinabove, or a combinationthereof. This allows cloud computing environment 50 to offerinfrastructure, platforms and/or software as services for which a cloudconsumer does not need to maintain resources on a local computingdevice. It is understood that the types of computing devices 54A-N shownin FIG. 4 are intended to be illustrative only and that computing nodes10 and cloud computing environment 50 can communicate with any type ofcomputerized device over any type of network and/or network addressableconnection (e.g., using a web browser).

Referring now to FIG. 5, a set of functional abstraction layers providedby cloud computing environment 50 (FIG. 4) is shown. It should beunderstood in advance that the components, layers, and functions shownin FIG. 5 are intended to be illustrative only and embodiments of theinvention are not limited thereto. As depicted, the following layers andcorresponding functions are provided:

Hardware and software layer 60 includes hardware and softwarecomponents. Examples of hardware components include: mainframes 61; RISC(Reduced Instruction Set Computer) architecture based servers 62;servers 63; blade servers 64; storage devices 65; and networks andnetworking components 66. In some embodiments, software componentsinclude network application server software 67 and database software 68.

Virtualization layer 70 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers71; virtual storage 72; virtual networks 73, including virtual privatenetworks; virtual applications and operating systems 74; and virtualclients 75.

In one example, management layer 80 may provide the functions describedbelow. Resource provisioning 81 provides dynamic procurement ofcomputing resources and other resources that are utilized to performtasks within the cloud computing environment. Metering and Pricing 82provide cost tracking as resources are utilized within the cloudcomputing environment, and billing or invoicing for consumption of theseresources. In one example, these resources may comprise applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal 83 provides access to the cloud computing environment forconsumers and system administrators. Service level management 84provides cloud computing resource allocation and management such thatrequired service levels are met. Service Level Agreement (SLA) planningand fulfillment 85 provide pre-arrangement for, and procurement of,cloud computing resources for which a future requirement is anticipatedin accordance with an SLA.

Workloads layer 90 provides examples of functionality for which thecloud computing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation 91; software development and lifecycle management 92; virtualclassroom education delivery 93; data analytics processing 94;transaction processing 95; and automatic detection of an incompletestatic analysis security assessment 96.

The present disclosure may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent disclosure.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present disclosure may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Smalltalk, C++ or the like, andconventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present disclosure.

Aspects of the present disclosure are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of thedisclosure. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present disclosure. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

What is claimed: 1-7. (canceled)
 8. A computer program productcomprising a non-transitory storage medium readable by a processingcircuit and storing instructions for execution by the processing circuitfor performing a method comprising: obtaining component versioning dataassociated with a build of an application; determining, using thecomponent versioning data associated with the build of the application,that a static analysis security assessment configuration of theapplication is incomplete; and responsive to determining that the staticanalysis security assessment configuration of the application isincomplete, generating metadata indicating that at least a portion ofthe new build of the application has been changed from a previous buildof the application.
 9. The computer program product of claim 8, whereinobtaining the data associated with the new build of the applicationfurther comprises: receiving a notification from a continuousintegration server that indicates a build of an application has beengenerated; establishing a connection with a build product repository;and obtaining the data associated with the build of the applicationusing information from the notification.
 10. The computer programproduct of claim 8, wherein the notification comprises the dataassociated with the build of the application.
 11. The computer programproduct of claim 8, wherein the method further comprises: initiating anew static analysis security assessment associated with the applicationusing the data associated with the build of the application.
 12. Thecomputer program product of claim 8, wherein the data associated withthe build of the application indicates that the application comprises anupdated version of a component of the application.
 13. The computerprogram product of claim 8, wherein the method further comprises:generating an application portfolio comprising a plurality of staticanalysis security assessment configurations associated with a pluralityof applications, wherein the plurality of applications comprises theapplication; and updating the application portfolio using the metadataassociated with the application.
 14. The computer program product ofclaim 8, wherein the method further comprises: receiving informationfrom a source control server indicating that a change has been madeaffecting the static analysis security assessment configurationassociated with the application; generating an updated static analysissecurity assessment configuration associated with the application; andinitiating a new static analysis security assessment using the updatedstatic analysis security assessment configuration associated with theapplication.
 15. A system, comprising: a processor in communication withone or more types of memory, the processor configured to: obtaincomponent versioning data associated with a build of an application;determine, using the component versioning data associated with the buildof the application, that a static analysis security assessmentconfiguration of the application is incomplete; and responsive todetermining that the static analysis security assessment configurationof the application is incomplete, generate metadata indicating that atleast a portion of the build of the application has been changed from aprevious build of the application.
 16. The system of claim 15, wherein,to obtain the data associated with the new build of the application, theprocessor is further configured to: receive a notification from acontinuous integration server that indicates a build of an applicationhas been generated; establish a connection with a build productrepository; and obtain the data associated with the build of theapplication using information from the notification.
 17. The system ofclaim 15, wherein the notification comprises the data associated withthe build of the application.
 18. The system of claim 15, wherein theprocessor is further configured to: initiate a new static analysissecurity assessment associated with the application using the dataassociated with the build of the application.
 19. The system of claim15, wherein the data associated with the build of the applicationindicates that the application comprises an updated version of acomponent of the application.
 20. The system of claim 15, wherein theprocessor is further configured to: generate an application portfoliocomprising a plurality of static analysis security assessmentconfigurations associated with a plurality of applications, wherein theplurality of applications comprises the application; and updating theapplication portfolio using the metadata associated with theapplication.